Cloud after COVID

The past 15 months have cemented the importance of moving employee- and customer-facing systems to the cloud, but many agencies are still far from that desired end state. In some cases, budget and leadership buy-in remain insufficient, and the challenges of moving to zero trust security loom for virtually every organization.

FCW recently gathered a group of IT leaders to explore how a year of maximum telework and nearly all-digital operations has altered the role cloud services play in supporting agency missions. The discussion was on the record but not for individual attribution (see below for the list of participants), and the quotes have been edited for length and clarity. Here’s what the group had to say.

Collaboration is a game changer

Perhaps the biggest change participants noted was the way cloud collaboration tools took hold. “ We’ve taken advantage of a lot of the collaboration apps that are available in cloud platforms,” an official from a smaller agency said. “We hadn’t anticipated needing those so badly.”

The embrace of new services also jump-started work on existing systems. “Other collaboration tools where work kind of stagnated throughout the years all of a sudden are getting pushed to the forefront,” an executive from a larger agency said, adding that the challenge now is “how do we connect them all to make sure that they continue to give us the capabilities we need?”

“There’s no doubt that COVID significantly changed how we do business across the enterprise,” another participant said. “The ability to collaborate was a game changer. And I think we let the genie out of the bottle. So now we have folks who never had the ability to collaborate the way they can today expecting that going forward for everything.”

The biggest collaboration example was Commercial Virtual Remote — the Defense Department’s emergency deployment of Microsoft Teams for all of DOD. At the time of the roundtable discussion, CVR was just days away from shutting down in favor of permanent, service-specific tenancies. Across DOD and in civilian agencies, the new expectation “is that that’s the way we are going to work,” one official said. “So how do we keep that?”

Improving identity, credential and access management will be essential, another participant said, especially with military personnel moving to multiple systems. “Being able to bring folks into the collaboration space easily — identity is the key,” he said. “So we need to make sure that we do it right, but we have to move quickly on it because the expectation is that if we don’t, they’re going to call in two weeks and say, ‘Turn CVR back on.’”

The virtualized work environment has brought other complications. One executive recalled hosting a call to discuss security concerns with a broad range of stakeholders. More than 100 participants called or logged into the platform, and the organizers quickly realized there was no way to easily identify the callers. Unable to map names to phone numbers, “we just decided to kill the call.”

The lesson is that “these types of communication platforms are going to be leveraged, and there are some new challenges relative to boundaries and security controls that we now need to examine further,” the participant said.

“I think the key for everyone is really thinking about the user story,” another official said. “Who are the users who have to be able to access these vital systems to do their jobs? How difficult are you going to make it for them? If you make it too difficult, guess what? They’re going to find other ways that are not secure to do the same thing. You’re forcing them to do it in an insecure way because you’re making it so hard that it just doesn’t work.”

Making sense of the security challenges

Another official said: “ We really need to think about the security and the things we were doing around that to make sure that we can keep doing that in a secure, safe way, but at the same time maximize some of the traction that we’ve made in this last year.”

Zero trust security will be an increasingly important part of those efforts, the group agreed. There is a buzzword factor at work, one said, “but the reality is that we should be able to work in an environment where people can get to the tools they need however they can but in a secure way. And we’ve seen a lot of this shift. Whether it’s development or whether it’s deployment, all these things are now moving out into the cloud and to the edge. And I think that COVID kind of forced that.”

“ You’ve got to think in terms of securing our edges, and that has created a huge paradigm shift,” another official said. “We were thinking about that already, but now it just became a norm.”

A third participant pointed to “ a bit of a dichotomy”: Government leaders have realized that “accessible online services were absolutely critical,” but maximum telework also “opened everyone’s eyes to what we actually mean when we talk about things being secure — not just being planned or being documented, but actually truly understanding about people, about identity, about devices because now we’re forced to work in this distributed world.”

Getting traction on such topics was difficult before the pandemic, that official added, “because sometimes we’re speaking to people who don’t feel the pain. But now people’s eyes have been opened.”

The complexity of securing so many different services also poses challenges, other participants said. “It is really important to understand the roles and responsibilities of the service provider and the customer,” one said. “There are lots of service-level agreements out there.”

Several officials, however, argued that the biggest friction point involves authorization and accreditation. “You’ve got folks who are really forward-leaning on the development side, building and then deploying into the cloud,” one said. “But when it comes time for the accreditation, we’ve seen that around the department, they don’t fully understand, and they’re trying to fit the old rule set into the new technology. It doesn’t fit.”

A continuously monitored authority to operate (ATO) is “the north star,” another official said. “That’s what everybody wants, but to get there, just look at the way we describe the state right now. Yes, we want to approach it as an ecosystem. No, we don’t want to sacrifice the user experience or customer experience. Yes, we want to be 100% secure. All these things kind of contradict each other, but you want to get to that nirvana.”

The problem is not cloud systems per se, another official said. “Whenever I hear about continuous ATO and people lamenting the accreditation process, I still feel like people aren’t focusing where the focus needs to be, which is the way we’ve organized ourselves. We don’t incentivize our program officers to change requirements on the fly. And we talk about bringing security on early and often, but do you have the teams with the skill sets that actually have the time to be part of your process early and often? As you iterate capabilities, do they have the time or even the context to support you? And the answer for most is no.”

In other words, that official said: “We haven’t organized ourselves around how we actually want to function as an organization by continuously building, continuously monitoring and continuously enhancing our software capabilities. I still feel like that’s the major limiting factor for most organizations in this domain.”

COVID as catalyst for leadership buy-in?

The pandemic pushed daily operations into the cloud like never before, and agency leaders have taken notice, participants said. One described meeting “ every two weeks with every single three-star and a few four-stars to talk about our digital modernization strategies and how we’re moving forward. It started about three months prior to COVID kicking off, but COVID was almost like gasoline on that fire of top cover for senior leaders — or at the very least creating room for the discussion.”

Another official pointed to the ultimate indicator of leaders’ interest. They wanted to know: “Where did we spend our money?” The funds distributed under the Coronavirus Aid, Relief and Economic Security Act were “about increasing the capacity of compute or about the security. We were already good at security. But I think now we are more into baked-in security.”

“Sometimes you get those moments where the light bulbs go off and they create room for actually solving the problem,” said another official, whose agency had made clear “that we will actively reprioritize fiscal 2022 funding in order to align with our digital modernization and data and cloud modernization initiatives. All options are on the table.”

“There’s an opportunity for us to correct a lot of the technical debt that we’ve incurred over a number of years,” another executive said, “because people in positions of leadership are now realizing that our digital infrastructure is a major limiting factor for us to be able to move forward.”

Getting the culture changes to stick

Although top-level support for continued cloud modernization is fairly widespread, the group voiced concerns about their agencies reverting to old habits.

“I’m starting to see examples of us falling back into our old ways of doing business,” one said. When it comes to enterprise with a capital E, “people are starting to say, ‘Oh, let’s lock all these things down’ — meaning it has to be government owned. Everything has to be on the government network.”

That participant added that “one of the things we’re going to learn kind of dramatically this year is that if we don’t design based on the user and make a positive, enjoyable and awesome customer experience, people are just going to do their own thing anyway, which creates more risk for us.”